Automating Cybersecurity

By KENNETH CHANG

June 2, 2014

If only computers themselves were smart enough to fight off malevolent hackers.

That is the premise of an ambitious two-year contest with a $2 million first prize, posed to the world’s computer programmers by the Defense Advanced Research Projects Agency, better known by its acronym, Darpa. It is the blue-sky, big-think organization within the Defense Department that created a precursor of the Internet in the late 1960s and more recently held a contest that spurred development of self-driving cars.

Michael Walker, the Darpa cybersecurity program manager who is running the contest, imagines a future in which sensors on computer networks could detect intruders, identify the flaws that let them in, and automatically make the necessary repairs, all without a human computer expert lifting a finger.

No such system exists today. The network security flaw called Heartbleed, for example, persisted for years in Web servers around the world before experts found it in April; hackers who knew about it could have used it to steal passwords and personal information. (Whether anyone did is unknown, but there were attacks after the bug was disclosed.) “Not a single automation tool has stepped forward and said it could find that flaw unassisted,” Mr. Walker said.

With numerous flaws in complex software, large data thefts have become commonplace. The credit card numbers of millions of Target shoppers were stolen last year. Last month, eBay told its users to change their passwords after its servers were breached.

“The problem is the fortification principle,” Mr. Walker said. “The cost for defenders of trying to block every possible weakness is so much greater than the cost of attackers, to be able to find one way in.”

The targets of the future will be even wider as networked computer processors show up in watches, thermostats, cars — the so-called Internet of Things. Then the potential consequences will include not just stolen data and crashed computers but crashed cars in the real world.

“If we don’t have a new security model,” said Daniel Kaufman, the director of Darpa’s Information Innovation Office and Mr. Walker’s boss, “we’re kind of doomed.”

Mr. Kaufman said that perfect security was impossible, but that the goal was to make cyber security more like physical security. A determined thief can break into a locked, alarmed house, but cannot burglarize an entire neighborhood in one swoop.

“It’s not like the bad guys are going to say, ‘Well played, Darpa — we give up,’ ” he said. “But if nothing else, we will have eliminated easy attacks and raised the cost to them of any attack.”

Darpa announced its Cyber Grand Challenge last fall. On Tuesday, it will release details that will allow programmers to start preparing the qualifying round, to be held a year from now. More than 35 teams have already signed up to compete.

Seeking Collaboration

The fundamental security imbalance is that human experts are too slow to spot and fix vulnerabilities before attackers can exploit them.

The top experts, who tend to work for the government or financial companies, are often able to protect the most valuable and sensitive information. But vast stretches of the Internet are less carefully protected.

And computers that might automate the task have limited sleuthing skills.

Mr. Walker likened the situation to computers that play chess. It was in 1950 that Claude E. Shannon, the pioneering computer scientist, outlined what it would take to create a competitive chess program; that, Mr. Walker said, is about where automated cybersecurity stands now.

Not until 1970 did the Association for Computing Machinery set up a chess tournament in which computers played each other. (Good human players were bored by such feeble opponents.)

The competition spurred quick improvements as programmers collaborated with chess players, blending the expertise of both fields. Seven years later, a computer beat a player with a grandmaster rating. In 1997, IBM’s Deep Blue defeated Garry Kasparov, the world chess champion.

Mr. Walker said he expected the cybersecurity challenge would bring together hackers with academic researchers, and the collaboration could similarly spur advances. “We want to collide the two,” he said.

Darpa also has a history of successful grand challenges. In 2004, it offered a $1 million prize for a robotic vehicle that could drive itself 150 miles across the Mojave Desert in California.

The most successful competitor drove just 7.3 miles. The following year, five cars finished the entire course. Many of the engineers who competed in the Darpa challenge now work at Google, developing self-driving cars that are driving on public roads today.

‘A Petri Dish’

The Cyber Grand Challenge is modeled roughly after “capture the flag” competitions at computer security conferences like Def Con, held each year in Las Vegas, in which teams are given software with deliberate flaws. They quickly analyze the software and figure out how to exploit the flaws to read hidden information on competitors’ computers while devising defenses to fend off attacks from the other teams. (The Darpa team has hired programmers who had previously put together the Def Con competitions.)

The hope is that such an elaborate analysis-and-defense system can be automated. “Studying software sounds like it’s something machines should be able to do,” Mr. Walker said. But like chess, cybersecurity is far from simple. Pieces of such a system do exist. David Brumley, a computer science professor at Carnegie Mellon University in Pittsburgh and chief executive of the start-up ForAllSecure, led a team that developed a computer program that scans software for the Linux computer operating system. In 33,000 pieces of Linux software, it discovered 13,000 flaws that could cause the software to crash — and it demonstrated the crashes.

In 152 cases, they showed that they could even take over the computer, turning it into a zombie to follow their commands.

In the Cyber Grand Challenge, the competitors will each be given a suite of software programs with hidden, intentional security flaws that perform some tasks on a closed computer network, perhaps things like receiving and sending email, responding to information requests like a Web server.

As the automated systems defend themselves, they must ensure that these workaday programs (called challenge binaries) continue to operate. Thus, the cybersecurity system acts like an airport checkpoint: It will earn points if it allows the challenge binaries to operate as designed — the equivalent of letting harmless luggage pass through an X-ray machine — while detecting and stopping attacks from competitors.

The contest software and network will be incompatible with the Internet — partly so none of the flaws and hacks accidentally escape and infect, but mainly to create a simplified, controlled environment in which the teams can come up with general strategies that can be widely applied.

“It’s a petri dish for computer security,” Mr. Walker said.

A Lingering Friction

Darpa is providing grants of $750,000 to each of seven teams, including one organized by Dr. Brumley, but the competition is open to any team.

Dr. Brumley’s team will consist of employees of ForAllSecure. While he has a system for finding and exploiting bugs, he lacks other parts of an automated system, like the ability to fix them.

The top seven teams in the qualifying round will then each receive $750,000 to prepare for the finals, which will be held in 2016 in Las Vegas, at the same time and place as Def Con. The winning team will take home $2 million. The second-place finisher will win $1 million, and third place receives $750,000.

Because Darpa events are free and open to the public while Def Con is a paid conference, the two events will be separate but adjoining. That represents a bit of a détente between the government and the hacker world, whose relations have been particularly tense since Edward J. Snowden’s revelations about the computer surveillance tactics of the National Security Agency. Last year, Jeff Moss, the founder of Def Con, wrote in a public message, “I think it would be best for everyone involved if the feds call a ‘time-out’ and not attend Def Con this year.”

Mr. Moss said that this year there would not be a big welcome mat for government employees, “but we’re not going to say, ‘You’re disinvited’ or ‘Stay away.’ ”

Mr. Moss did not hold the N.S.A. spying revelations against Darpa. “I think Darpa is a completely different animal,” he said. The cybersecurity challenge will be an exciting match, Mr. Moss added. “It’s a glimpse into the future. These problems seem ripe for automation.”

Mr. Walker also said he wanted to broadcast the competitions over the web and to enlist game developers to come up with eye-catching visualizations showing the ebb and flow of battle between the computers.

“We also need sportscasters,” he said, adding: “ ‘Sportscaster’ may not be the right word. Professional explainers.”

For the humans behind the computer competitors, it will be an odd change from the capture-the-flag competitions. Instead of several intense days pounding on keyboards, they will just set up their systems and then watch with everyone else.